FIDO2 – WindowsTechs.com

FIDO2 Yubikey, systemd-cryptenroll Options – Differences of –fido2-with-client-pin –fido2-with-user-presence –fido2-with-user-verification

Posted on March 11, 2025 by Janning Vygen

I added a FIDO2 token to my encrypted root parition with
systemd-cryptenroll <DISK>
–fido2-with-client-pin=true \
–fido2-with-user-presence \
–fido2-device=auto

The tool has three option for configuring what I need to unlo… Continue reading FIDO2 Yubikey, systemd-cryptenroll Options – Differences of –fido2-with-client-pin –fido2-with-user-presence –fido2-with-user-verification→

Would a passkey client that had a seed for backup break the specification?

Posted on March 4, 2025 by User65535

I have been thinking about backing up passkeys, I asked a previous question about backing up individual private keys. This procedure requires one to create the backup after creating the account.
There are some analogies between the algori… Continue reading Would a passkey client that had a seed for backup break the specification?→

Is a FIDO private key file for SSH cryptographically secure on it’s own?

Posted on February 18, 2025 by Philip Couling

Is an id_ed25519_sk cryptographically secure without a password?
I’m currently experimenting with a yubikey SSH identity. Following instructions to generate an SSH key:
sudo ssh-keygen -t ed25519-sk -O resident -O verify-required -C "… Continue reading Is a FIDO private key file for SSH cryptographically secure on it’s own?→

Is there a reason to not send signed FIDO2/WebAuthn session data to the client rather than storing it server side?

Posted on February 5, 2025 by aidan

Every WebAuthn implementation I’ve seen stores the session data server side, but that just seems pointless to me, since what seems to be essentially all the same data is already sent to the client in the options.
(For clarification what I’… Continue reading Is there a reason to not send signed FIDO2/WebAuthn session data to the client rather than storing it server side?→

Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?

Posted on November 8, 2024 by John Doe

Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. I am using WebAuthN4J. The persistent … Continue reading Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?→

Is there an equivalent to passkeys but to prevent cookie stealing?

Posted on August 16, 2024 by Gatonito

Passkeys prevent phishing, no one can make you login remotely (without exploits) and if they are hardware based and never leave the hardware, them even exploits might have a hard time getting them.
However, very simple exploits could still… Continue reading Is there an equivalent to passkeys but to prevent cookie stealing?→

MITM Attacks Can Still Bypass FIDO2 Security, Researchers Warn

Posted on May 15, 2024 by Deeba Ahmed

By Deeba Ahmed
Is FIDO2 truly unbreachable? Recent research exposes a potential vulnerability where attackers could use MITM techniques to bypass FIDO2 security keys.
This is a post from HackRead.com Read the original post: MITM Attacks Can Still Byp… Continue reading MITM Attacks Can Still Bypass FIDO2 Security, Researchers Warn→

Stealing cookies: Researchers describe how to bypass modern authentication

Posted on May 6, 2024 by djohnson

Passwordless authentication standards have improved identity security, but new research indicates this technology is vulnerable to token hijacks and man-in-the-middle attacks.

The post Stealing cookies: Researchers describe how to bypass modern authentication appeared first on CyberScoop.

Continue reading Stealing cookies: Researchers describe how to bypass modern authentication→

How does passkey login work, and where do the private keys get shared? [closed]

Posted on April 3, 2024 by pzrq

I’d like to better understand the threat model for passkey implementations, using a Bitwarden client or browser extension as an example.
Does Bitwarden care about the following specific FIDO2 details such as the use of ECDSA crypto, e.g. d… Continue reading How does passkey login work, and where do the private keys get shared? [closed]→

ssh-keygen fido2 keys without password

Posted on March 28, 2024 by cen

ssh-keygen -t ed25519-sk -O resident -C "yubikey-fido1

My understanding is that I should be able to generate openssh keys with fido2 without password and require touch-only. While that opens up a potential attack when both the device… Continue reading ssh-keygen fido2 keys without password→